Debugging ssl handshake failures

Tue, 01 Sep 2020 09:58:50 -0700 

Hi haproxy
I'm wondering if there is any way to debug the error message "www-https/1: SSL handshake failure"? I've tried increasing log levels to debug etc, but nothing seems to log about why the failure occurred. 

Haproxy 2.2.2-1ppa1~focal on Ubuntu 20.04


We've had a strange regression when upgrading from the 1.x series that 
presented as very long 'Establishing SSL Connection' times in Chrome, 
but the connections would eventually go through and load the page with 
an expected cipher etc.  We're now also seeing higher than normal 
handshake failures logging but the clients seem to load the pages ok on 
a subsequent request. Basically I'm just looking for how to debug this a 
little deeper and log some of the tls protocol events/data.


Is this type of logging possible?

Thanks

--

Kevin

Few config items:

global

    nbthread 8
    log /dev/log    local0 info
    chroot /var/lib/haproxy

    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd 
listeners

    stats timeout 2m
    user haproxy
    group haproxy
    daemon

    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

#https://ssl-config.mozilla.org/#server=haproxy&version=2.2.0&config=intermediate&openssl=1.1.1f&hsts=false&ocsp=false&guideline=5.6

    ssl-default-bind-ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 
no-tlsv11no-tls-tickets
    ssl-default-server-ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11no-tls-tickets

    tune.ssl.default-dh-param 2048
    ssl-dh-param-file /etc/haproxy/dhparam

defaults
    log    global
    mode    http
    option  dontlognull
    option  forwardfor
    option  http-server-close
    option  log-health-checks
    option  redispatch
    maxconn 5000
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    timeout check 5000

    stats enable
    <stats uris and passwords>

frontend www-https


        bind :::443 v4v6 ssl crt /etc/haproxy/certs/www.example.com.pem 
crt /etc/haproxy/certs/ strict-sni alpn h2,http/1.1


        use_backend www-backend-https

backend www-backend-https
        balance roundrobin


        server app1 internal.app1.example.com:443 ssl verify required 
verifyhost app1.example.com sni ssl_fc_sni ca-file 
/etc/ssl/certs/ca-certificates.crt check check-ssl maxconn 255
        server app2 internal.app2.example.com:443 ssl verify required 
verifyhost app2.example.com sni ssl_fc_sni ca-file 
/etc/ssl/certs/ca-certificates.crt check check-ssl maxconn 255


--

HA-Proxy version 2.2.2-1ppa1~focal 2020/08/01 - https://haproxy.org/

Status: long-term supported branch - will stop receiving fixes around Q2 
2025.

Known bugs: http://www.haproxy.org/bugs/bugs-2.2.2.html

Running on: Linux 5.4.0-45-generic #49-Ubuntu SMP Wed Aug 26 13:38:52 
UTC 2020 x86_64

Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc

  CFLAGS  = -O2 -g -O2 
-fdebug-prefix-map=/build/haproxy-8IkXw5/haproxy-2.2.2=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv 
-Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare 
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers 
-Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits 
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond 
-Wnull-dereference
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 
USE_ZLIB=1 USE_SYSTEMD=1



Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 
+PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE 
-STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT 
+CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 +ZLIB -SLZ 
+CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD 
-OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=8).
Built with OpenSSL version : OpenSSL 1.1.1f  31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f  31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11

Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND

Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.3.0
Built with the Prometheus exporter as a service

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
            fcgi : mode=HTTP       side=BE mux=FCGI
       <default> : mode=HTTP       side=FE|BE mux=H1
              h2 : mode=HTTP       side=FE|BE mux=H2
       <default> : mode=TCP        side=FE|BE mux=PASS

Available services :
    prometheus-exporter

Available filters :
    [SPOE] spoe
    [COMP] compression
    [TRACE] trace
    [CACHE] cache
    [FCGI] fcgi-app

--

#openssl ciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA























					Reply via email to